Flaws in Mozilla's Handling of Security Certificates Discovered and Fixed

Tuesday July 27th, 2004

CNET is reporting that two new flaws in the way Mozilla handles security certificates have been discovered. The more serious vulnerability allows a site to appear to have a security certificate when it does not (bug 253121). The other hole makes it possible for an attacker to overwrite the root certificate authority certificates, causing an error message to appear whenever the user tries to access a (genuine) secure site (bug 249004). Both bugs have now been fixed, but updated end-user releases of Mozilla products are not yet available.

#13 But it's not hours or days

by guanxi

Wednesday July 28th, 2004 7:40 AM

You are replying to this message

For end users, which are most of the users, the fix takes months -- until the next end user release. And what about corporate installations? Should they reinstall Mozilla system wide and implement a nightly build?

Sure, most people in this forum can download a nightly, but we specifically discourage end users from doing so (with good reason).

Mozilla is very good, and far superior to IE in this respect, but perfectly secure software is impossible. The only solution is a patch system. It's a necessity, I think, before Moz is ready for the corporate world.